Hi Jennifer,

Yes, I've started set up of IPSec VPN. I'm planning to use vpn_ipsec tunnel-group for that. Also I've tried to split traffic according http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#unableto. No success. Currently I can't connect via cisco VPN client.

Thanks Jennifer.

Now I'm able to connect via Cisco VPN client. But I can't get access neither to network or Internet after connection.

ASA5505# debug cry isa
INFO: 'logging debug-trace' is enabled. All debug messages are currently being redirected to syslog:711001 and will not appear in any monitor session
ASA5505# debug cry ipsec
INFO: 'logging debug-trace' is enabled. All debug messages are currently being redirected to syslog:711001 and will not appear in any monitor session

ASA5505# show cry ipsec sa
interface: WAN
    Crypto map tag: dynmap, seq num: 10, local addr: a.a.a.a

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.2.1/255.255.255.255/0/0)
      current_peer: d.d.d.d, username: test
      dynamic allocated peer ip: 192.168.2.1

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 386, #pkts decrypt: 386, #pkts verify: 386
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: a.a.a.a/4500, remote crypto endpt.: d.d.d.d/1212
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 3EEDB4E3
      current inbound spi : 9A98ECBD

    inbound esp sas:
      spi: 0x9A98ECBD (2593713341)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 1540096, crypto-map: dynmap
         sa timing: remaining key lifetime (sec): 28168
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x3EEDB4E3 (1055765731)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 1540096, crypto-map: dynmap
         sa timing: remaining key lifetime (sec): 28168
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Excellent, we are a step closer to resolution.

Your debug output has been redirected to syslog, that's why there is no output on the screen for you to capture.

The output of "show cry ipsec sa" is showing that traffic is being encrypted from the VPN Client, and the ASA decrypts that, however, the ASA does not have any reply back from your LAN.

Can you please advise what you try to access (which ip address and what protocol) after you are connected on the VPN Client? Please check that the host that you are trying to access have firewall turn off, as firewall normally prevents access from different subnets.

Also try to add: management-access OLD-Private

Then see if you can ping 192.168.17.2 from the VPN.

Lastly, please share the latest configuration if the above still doesn't resolve the issue.

I've checked Firewall currently disabled.

I'm trying to get access to network 192.168.17.0/24 ports 3389 RDP, icmp, also would like to get access to Internet via gateway 192.168.17.2, and get access to network 192.168.10.0/24 (connected via site-to-site vpn) ports 3389 RDP, icmp.

During RDP connection with Cisco VPN connection I'm getting

6    Mar 02 2011    14:30:19    302015    192.168.2.1    63237    dns.dns.dns.dns    53    Built inbound UDP connection 359105 for WAN:192.168.2.1/63237 (192.168.2.1/63237) to WAN:dns.dns.dns.dns/53 (dns.dns.dns.dns/53) (admin)

Same error during ping remote network and ping 192.168.17.2.

During ping from remote network 192.168.17.0/24 to my PC 192.168.2.1

6    Mar 02 2011    14:41:15    302021    192.168.2.1    0    192.168.17.138    1    Teardown ICMP connection for faddr 192.168.2.1/0 gaddr 192.168.17.138/1 laddr 192.168.17.138/1

management-access OLD-Private - nothing changed

Sorry, I am confused now.

Why are you trying to ping from 192.168.17.0/24 towards your PC? You should be pinging from your PC where the VPN Client is connected from, towards 192.168.17.0/24 network.

OK, firstly, let sort the access from VPN Client towards 192.168.17.0/24 subnet first, then the Internet connection and lastly the LAN-to-LAN access from the VPN Client.

Can you please advise the following:

1) Which tunnel-group do you use to connect with the VPN Client? this will be what is configured on the VPN Client group name.

2) Do you want the Internet access to go directly out via the VPN Client, or you would like the Internet traffic to be encrypted towards the ASA, and out via the ASA? this will determine if you want split tunnel or no split tunnel. With split tunnel basically you are saving on bandwidth on your ASA end as the Internet traffic will just go straight out from the VPN Client local connection. However, if you have web filtering/proxy that you want to use, then you will need to disable split tunnel so all the traffic gets routed towards the ASA.

3) Please share your latest configuration.

Thanks Jennifer. Your answer very useful and understandable. I don't need access (ping) from 192.168.17.x to my PC, but I need smb from my PC to 192.168.17.x in addition to RDP and ping.

I'd like to use split tunnel and leave current gateway for Internet access.

vpn_ipsec is VPN tunnel-group

Last config:

Result of the command: "show conf"

: Saved
: Written by me at 14:45:21.384 NZDT Wed Mar 2 2011
!
ASA Version 8.2(2)
!
hostname ASA5505
domain-name domain
enable password password  encrypted
passwd password  encrypted
names
!
interface Vlan1
description INTERNET
mac-address 0000.0000.0001
nameif WAN
security-level 0
ip address a.a.a.a 255.255.255.248 standby a1.a1.a1.a1
ospf cost 10
!
interface Vlan2
description OLD-PRIVATE
mac-address 0000.0000.0102
nameif OLD-Private
security-level 100
ip address 192.168.17.2 255.255.255.0 standby 192.168.17.3
ospf cost 10
!
interface Vlan6
description MANAGEMENT
mac-address 0000.0000.0106
nameif Management
security-level 100
ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3
ospf cost 10
!
interface Vlan100
description LAN Failover Interface
!
interface Ethernet0/0
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
switchport access vlan 100
!
interface Ethernet0/6
switchport trunk allowed vlan 2,6
switchport mode trunk
!
interface Ethernet0/7
shutdown
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns domain-lookup WAN
dns server-group DefaultDNS
name-server dns.dns.dns.dns
domain-name domain
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service RDP tcp
description RDP
port-object eq 3389
access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list LAN_IP standard permit 192.168.17.0 255.255.255.0
access-list WAN_access_in extended permit ip any any log debugging
access-list WAN_access_in extended permit tcp any object-group RDP any object-group RDP log debugging
access-list MANAGEMENT_access_in extended permit ip any any log debugging
access-list OLD-PRIVATE_access_in extended permit ip 192.168.17.0 255.255.255.0 any log debugging
access-list 101 extended permit tcp host 192.168.10.7 any eq 3389 log debugging
access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list capin extended permit ip host 192.18.17.155 host 192.168.10.7
access-list capin extended permit ip host 192.168.10.7 host 192.168.17.155
access-list LAN_access_in extended permit ip any any log debugging
access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_nat0_outbound extended permit ip any 192.168.17.240 255.255.255.252
access-list WAN_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.248
access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.248
access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list LAN_IP_inbound standard permit 192.168.10.0 255.255.255.0
access-list IPSec_VPN_splitTunnelAcl standard permit any
access-list vpnusers_splitTunnelAcl extended permit ip 192.168.17.0 255.255.255.0 any
access-list nonat-in extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list vpn_ipsec_splitTunnelAcl standard permit 192.168.17.0 255.255.255.0
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging debug-trace
mtu WAN 1500
mtu OLD-Private 1500
mtu Management 1500
ip local pool VPN_Admin_IP 192.168.1.150-192.168.1.199 mask 255.255.255.0
ip local pool vpnclient 192.168.2.1-192.168.2.5 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover Vlan100
failover polltime interface 15 holdtime 75
failover key *****
failover interface ip failover 192.168.100.1 255.255.255.0 standby 192.168.100.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit host c.c.c.c WAN
icmp permit 192.168.10.0 255.255.255.0 WAN
icmp permit 192.168.17.0 255.255.255.0 WAN
icmp deny any WAN
icmp permit host c.c.c.c OLD-Private
icmp permit 192.168.10.0 255.255.255.0 OLD-Private
icmp permit 192.168.17.0 255.255.255.0 OLD-Private
icmp permit host c.c.c.c Management
icmp permit host 192.168.10.0 Management
icmp permit host 192.168.17.138 Management
icmp permit 192.168.1.0 255.255.255.0 Management
icmp permit host 192.168.1.26 Management
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (WAN) 1 interface
global (OLD-Private) 1 interface
global (Management) 1 interface
nat (OLD-Private) 0 access-list WAN_nat0_outbound
nat (OLD-Private) 1 0.0.0.0 0.0.0.0
access-group WAN_access_in in interface WAN
access-group OLD-PRIVATE_access_in in interface OLD-Private
access-group MANAGEMENT_access_in in interface Management
route WAN 0.0.0.0 0.0.0.0 d.d.d.d 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 10
http server enable
http 192.168.1.0 255.255.255.0 WAN
http 0.0.0.0 0.0.0.0 WAN
http a.a.a.a 255.255.255.255 WAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dynmap 10 set transform-set ESP-3DES-SHA
crypto map WAN_map 1 match address WAN_1_cryptomap
crypto map WAN_map 1 set peer c.c.c.c
crypto map WAN_map 1 set transform-set ESP-DES-SHA
crypto map WAN_map 65000 ipsec-isakmp dynamic dynmap
crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map WAN_map interface WAN
crypto isakmp enable WAN
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh c.c.c.c 255.255.255.255 WAN
ssh timeout 30
ssh version 2
console timeout 0
management-access OLD-Private
dhcpd auto_config OLD-Private
!

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 129.6.15.28 source WAN prefer
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec svc webvpn
group-policy admin internal
group-policy admin attributes
dns-server value dns.dns.dns.dns
vpn-tunnel-protocol IPSec
group-policy vpn_ipsec internal
group-policy vpn_ipsec attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_ipsec_splitTunnelAcl
username user password password  encrypted privilege 15
tunnel-group admin type remote-access
tunnel-group admin general-attributes
address-pool IPSec_VPN_pool
address-pool vpnclient
authorization-server-group LOCAL
default-group-policy admin
tunnel-group admin ipsec-attributes
pre-shared-key *
tunnel-group c.c.c.c type ipsec-l2l
tunnel-group c.c.c.c general-attributes
default-group-policy admin
tunnel-group c.c.c.c ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group vpn_ipsec type remote-access
tunnel-group vpn_ipsec general-attributes
address-pool vpnclient
default-group-policy vpn_ipsec
tunnel-group vpn_ipsec ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp

P.S.

What should I change to disable split tunnel? And use ASA as gateway (It's for my knowledge)

It's a magic. Works perfectly!

How can add access to 192.168.10.x network via cisco VPN client?

Many thanks

Perfect!!

Ok, now to access 192.168.10.x, a few things needs to be configured:

1) Split tunnel needs to include that subnet:

access-list vpn_ipsec_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0

2) Then you will need to add the following to the LAN-to-LAN tunnel:

access-list WAN_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0

3) At the same time, you will also need to add the mirror image access-list on the other end of the LAN-to-LAN tunnel peer (b.b.b.b) device.

4) Also you will need to add NAT exemption on the peer device for the traffic between 192.168.10.0/24 to 192.168.2.0/24

5) Once the above has been completed, clear down the tunnels on both ends and clear the translation on the peer end (b.b.b.b).

Thanks. Will try in a few days and then post results.

Hi Jeniffer,

Sorry I didn't check and didn't change ASA settings after VPN resolve. Any way I have access from remote PC to my local network, so I don't realy need access just via VPN client to site-to-site tunnel.

All your instructions are perfect. Thank you very much!

Thanks for the update and ratings. Much appreciated.